19 April 2014

Stephen Wilson in Lockstep

Stephen Wilson - Lockstep Group

34 | posts 111,870 | views 163 | comments
A post relating to this item from Finextra:

Massive Sony data breach leaves card details at risk

27 April 2011  |  9338 views  |  0
More than 70 million Sony PlayStation Network customers are being warned to watch out for scams after the Japanese electronics giant admitted its systems have been hacked and personal information - po...

Is Sony PCI DSS compliant?

27 April 2011  |  7197 views  |  9

It's been over a week and a zillion blog posts and tweets have already circulated about the PlayStation Network breach.  Yet one security issue has yet to be canvassed.  I'm more than a little surprised.

Sony advised its customers: "If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained".

So, does anyone know if Sony is PCI-DSS compliant?

Does anyone care?

Comments: (12)

Keith Appleyard - available for hire - Bromley | 28 April, 2011, 13:31

Today (Thu) we have Sony providing some reassurance, saying "The entire credit card table was encrypted and we have no evidence that credit card data was taken."

Assuming they've used strong cryptography, then they appear to be PCI-DSS compliant.

Stephen Wilson - Lockstep Group - Sydney | 30 April, 2011, 09:02

Keith,

We're getting warm. And yet we cannot be left assuming that Sony's cryptography is strong.  After all, one would have assumed they would hash their passwords. 

The question still is, was Sony certified as PCI compliant?

I tried Google News for "sony pci compliant" and funnily enough the third top hit was actually my blog post above!  Hits no. 1 and 2 concerns Sony's own claims to have met the PCI encryption requirement.

It's frankly amazing that the PCI status of such a huge merchant is still uncertain days and days after the breach. 

 

Keith Appleyard - available for hire - Bromley | 03 May, 2011, 14:54

Well we've now got Sony admitting that they had a database that dates back to 2007 that was compromised.

PCI-DSS 3.1 states "Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes"

Well once you've been paid by the Credit Card Issuer / Direct Debit Bank, why keep the data longer than say 3 months, rather than 3 years?

So even if Sony did a self-assessment, I don't think they can hand on heart say that they were PCI-DSS compliant as far as this particular database was concerned.

MaryAnn Allison - Payments Industry - Palm Desert | 06 May, 2011, 19:24

Both Visa and MasterCard publish vendors that are PCI compliant and keep it current. The one below was updated on 2 May, 2011.

The link for MasterCard's list is:

http://www.mastercard.com/us/company/en/docs/Compliant%20Service%20Providers%20-%20May%202%202011.pdf

MaryAnn

Keith Appleyard - available for hire - Bromley | 07 May, 2011, 13:47

MaryAnn - thanks for the list, but it appears to be a USA only list - so not surprised if Sony don't appear on it.

MaryAnn Allison - Payments Industry - Palm Desert | 07 May, 2011, 16:39

Both card schemes only keep one list for all approved vendors and do not differentiate across regions. Their lists will be very similar, with a few exceptions. 

The MasterCard list is just easier to find than Visa's. And you are correct, Sony is not on the list.

Keith Appleyard - available for hire - Bromley | 07 May, 2011, 17:41

MaryAnn - I can't believe that this is the master list - because not a single one of the 10 largest retail stores in UK/France/Germany/Spain appear on this list.

MaryAnn Allison - Payments Industry - Palm Desert | 07 May, 2011, 18:51

Hi Keith,

Since I am viewing this list from the public MasterCard.com website, you may have a point. There is a different list via a MasterCard supplied user id for their extranet MOL (MasterCard Online) that I am more accustomed to viewing, which is the one stop shop.

If you are comfortable with different languages, you may want to give this a go yourself to do some checking in Europe. Here is a link to give you a start, the rest is intuitive but I do a search on "pci compliant vendors".

http://www.mastercard.us/?html_get=/mccomsrch/ui.jsp%3Fui_mode%3Dnavigate%26charset%3DUTF-8%26language%3Den-US%26facet%3DMCCOM.Personal%26facetCollectionID%3D%26structured_chart%3D%26question_box%3Dpci%20compliant%20vendors%26searchtext%3Dpci%20compliant%20vendors

This screen offers the selection of region/language. Once you have made your selection and are sent to the next screen I recommend you choose Issuers in the upper right hand corner. Then do your search for PCI compliant vendors.

I'm off to escape the 100F temps and headed to the beach for the rest of the weekend. Good luck!

MaryAnn

John Dring - Intel Network Services - Swindon | 11 May, 2011, 23:20

Just a slight aside - I found it typical that the welcome page for MC shows a consumer 'handing over their chip and pin smart card' to the merchant ( http://www.mastercard.com/global/).  There is never a need to part with ones chip and pin with a reputable merchant!

On the Sony debacle - I think it shows me that the PCI standard is more of a best practices guideline than a policed standard.

 

MaryAnn Allison - Payments Industry - Palm Desert | 12 May, 2011, 03:43

Hi John,

Yes, I agree you may be on to something here. The list is typically used by financial institutions as a resource to review as part of their annual due diligence of their partners. The purpose of the PCI Compliant vendors list is for both card schemes to identify the parties that they acknowledge as having passed a PCI audit. Visa goes an extra step and sends an acceptance letter, which the banks also request of their service provider.

I also find it interesting that no one else has come forward with any additional information. There must be someone out there who could provide a global list from one of the card scheme's extranets. In the meantime, whilst we speculate, it is risky to assume if Sony is not on the list, they might not be PCI compliant without knowledge of how their relationship with the card schemes is structured. It is entirely possible that Sony are indeed working within established guidelines.

I find the silence to be an interesting commentary in and of itself.

Stephen Wilson - Lockstep Group - Sydney | 12 May, 2011, 21:06

John Dring wrote "Sony ... shows me that the PCI standard is more of a best practices guideline than a policed standard".

Channelling Captain Jack Sparrow, Pirates of the Carribean, are we? ;-)

Stephen Wilson - Lockstep Group - Sydney | 12 May, 2011, 23:32

But seriously folks, I agree with MaryAnne Allison that the silence is remarkable. As I suggested at the outset, maybe nobody really cares anymore?

Now, disenchantment with PCI is a real story. 

The PCI regime is a hugely expensive exercise with uncertain impact on cybercrime.  Vast volumes of card numbers continue to be stolen.  And like so many audit regimes of the past, when certified organisations fail -- whether it be financial collapse, quality lapse, or security breach -- endless legal debates break out about the very meaning of audit. It's a bit late for this argument isn't it?

I've had numerous PCI QSAs tell me that their inspections only provide a snapshot, and it's not their fault that companies might be breached in between visits.  Seriously?! If PCI certification doesn't provide some confidence about security all the time, and not just when the QSA is looking, what good is it? Tick box auditing has sunk to new lows when QSAs can so quickly distance themselves from problems like this.

If PCI is supposed to be so important, then surely by now there would be definitive news about the status of Sony.  All we have is the company's own assertions that the card numbers were "encrypted" and that therefore they were PCI compliant.  No naming of an actual QSA.  No clear white lists from the card companies.  And no testing of this "encryption" claim. 

I had a laptop with encrypted HDD crash on me once, with total loss of the motherboard.  My IT guy took out the disk drive, plugged it into a another machine, and cracked the key in less than an hour.  All my data was retrieved.  If the PSN security designers couldn't even be bothered hashing the members' passwords, then I have little confidence that they knew what they were doing with encryption.

 

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Stephen

Now is not the time to go soft

03 August 2012  |  2870 views  |  2  |  Recommends 0 TagsSecurityPayments

How much worse can CNP fraud get?

17 July 2012  |  2207 views  |  1  |  Recommends 0 TagsSecurityPayments

Credit card numbers are like nitroglycerine

13 January 2012  |  3805 views  |  0  |  Recommends 0 TagsSecurityPayments

Banks really know their customers

13 December 2011  |  2489 views  |  1  |  Recommends 1

Taking full advantage of Chip

02 June 2011  |  3543 views  |  6  |  Recommends 0
name

Stephen Wilson

job title

Managing Director

company name

Lockstep Group

member since

2008

location

Sydney

Summary profile See full profile »
I specialise in digital identity, privacy, smart technologies and fraud prevention. I run the Lo...

Stephen's expertise

Who is commenting on Stephen's posts